Darkcoder found a flaw in realistic 12 that allowed him to read any file through the guest.pl script. The bug was that user-input was checked before the uri escape was done, allowing him to specify any character he wanted.

Nines9 and StenoPlasma found a CSRF vulnerability in the Forum BBCode that allowed them to make themselves site administrators, log out users, flag comments, accept and delete IRC linked Nicknames, etc.